b"      Department of Homeland Security\n\n\n\n\n            Information Technology Management\n              Letter for the FY 2011 U.S. Customs\n                and Border Protection Financial\n                        Statement Audit\n\n\n\n\nOIG-12-77                                           May 2012\n\n\x0c                                                            Office of Inspector General\n\n                                                            U.S. Department of Homeland Security\n                                                            Washington, DC 20528\n\n\n\n\n                                          May 1, 2012\n\n                                             Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe Department.\n\nThis report presents the information technology (IT) management letter for the FY 2011 U.S.\nCustoms and Border Protection (CBP) Component financial statement audit as of September 30,\n2011. It contains observations and recommendations related to information technology internal\ncontrol that were summarized in the Independent Auditors\xe2\x80\x99 Report dated January 27, 2012 and\npresents the separate restricted distribution report mentioned in that report. The independent\naccounting firm KPMG LLP (KPMG) performed the audit procedures at the CBP component in\nsupport of the DHS FY 2011 financial statements and prepared this IT management letter.\nKPMG is responsible for the attached IT management letter and the conclusions expressed in it.\nWe do not express opinions on DHS\xe2\x80\x99 financial statements or internal control or conclusion on\ncompliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                     Frank Deffer\n                                     Assistant Inspector General\n                                     Office of Information Technology Audits\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\n\n\nMarch 28, 2012\n\n\nActing Inspector General\nU.S. Department of Homeland Security\n\nChief Information Officer and\nChief Financial Officer\nU.S. Customs and Border Protection\n\nWe have audited the consolidated balance sheets of the U.S. Customs and Border Protection (CBP),\na Component of the U.S. Department of Homeland Security (DHS), as of September 30, 2011 and\n2010, and the related consolidated statements of net cost, changes in net position, and custodial\nactivity, and the combined statements of budgetary resources (hereinafter referred to as\n\xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d) for the years then ended. In planning and performing our audit\nof CBP\xe2\x80\x99s consolidated financial statements, we considered CBP\xe2\x80\x99s internal control over financial\nreporting in order to determine our auditing procedures for the purpose of expressing our opinion on\nthe consolidated financial statements.\nIn connection with our fiscal year (FY) 2011 engagement, we considered CBP\xe2\x80\x99s internal control\nover financial reporting by obtaining an understanding of CBP\xe2\x80\x99s internal controls, determining\nwhether internal controls had been placed in operation, assessing control risk, and performing tests\nof controls in order to determine our procedures. We limited our internal control testing to those\ncontrols necessary to achieve the objectives described in Government Auditing Standards and the\nOffice of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal\nFinancial Statements, as amended. We did not test all internal controls relevant to operating\nobjectives as broadly defined by the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982. The\nobjective of our engagement was not to provide an opinion on the effectiveness of CBP\xe2\x80\x99s internal\ncontrol over financial reporting. Accordingly, we do not express an opinion on the effectiveness of\nCBP\xe2\x80\x99s internal control over financial reporting.\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent,\nor detect and correct misstatements on a timely basis. A material weakness is a deficiency, or\ncombination of deficiencies, in internal control, such that there is a reasonable possibility that a\nmaterial misstatement of the entity\xe2\x80\x99s financial statements will not be prevented, or detected and\ncorrected on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies,\nin internal control that is less severe than a material weakness, yet important enough to merit\nattention by those charged with governance.\nOur audit of CBP as of, and for the year ended, September 30, 2011, disclosed a significant\ndeficiency in the areas of Information Technology (IT) security management, access controls,\nconfiguration management, segregation of duties, contingency planning, and application controls.\nThese matters are described in the General IT Control Findings and Recommendations and the\nApplication Control Finding and Recommendation sections of this letter.\nThe significant deficiency described above is presented in our Independent Auditors\xe2\x80\x99 Report, dated\nJanuary 27, 2012. This letter represents the separate restricted distribution letter mentioned in that\nreport.\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cThe control deficiencies described herein have been discussed with the appropriate members of\nmanagement, and communicated through a Notice of Finding and Recommendation (NFR), and are\nintended For Official Use Only.\nBecause of its inherent limitations, internal control over financial reporting may not prevent, or\ndetect and correct misstatements. Also, projections of any evaluation of effectiveness to future\nperiods are subject to the risk that controls may become inadequate because of changes in\nconditions, or that the degree of compliance with the policies or procedures may deteriorate. We\naim to use our knowledge of CBP gained during our audit engagement to make comments and\nsuggestions that are intended to improve internal control over financial reporting or result in other\noperating efficiencies.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key CBP financial systems and IT infrastructure within the scope of the FY 2011\nCBP consolidated financial statement audit in Appendix A; a description of each internal control\nfinding in Appendix B; and the current status of the prior year NFRs in Appendix C.\nThis communication is intended solely for the information and use of DHS and CBP management,\nthe DHS Office of Inspector General (OIG), the OMB, the U.S. Government Accountability Office,\nand the U.S. Congress, and is not intended to be and should not be used by anyone other than these\nspecified parties.\n\n\nVery truly yours,\n\x0c                               Department of Homeland Security\n                              U.S. Customs and Border Protection\n                           Information Technology Management Letter\n                                      September 30, 2011\n\n                INFORMATION TECHNOLOGY MANAGEMENT LETTER \n\n\n                                  TABLE OF CONTENTS\n\n\n                                                                                                     Page\n\n\nObjective, Scope, and Approach                                                                        1\n\n\nSummary of Findings and Recommendations                                                               2\n\n\nGeneral IT Control Findings and Recommendations                                                       3\n\n\n       Security Management                                                                            3\n\n\n        After-Hours Physical Security Testing                                                         4\n\n\n        Social Engineering Testing                                                                    5\n\n\n       Access Control                                                                                 5\n\n\n       Configuration Management                                                                       5\n\n\n       Segregation of Duties                                                                          5\n\n\n       Contingency Planning                                                                           6\n\n\nApplication Control Finding and Recommendation                                                        8\n\n\n\n\n\n                                            APPENDICES\n\nAppendix    Subject                                                                                  Page\n\n   A        Description of Key CBP Financial Systems and IT Infrastructure within the Scope of the    9\n\n            FY 2011 DHS Financial Statement Audit \n\n\n   B        FY 2011 Notices of IT Findings and Recommendations at CBP                                 12\n\n            -    Notices of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings             13\n\n   C        Status of Prior Year Notices of Findings and Recommendations and Comparison to            17\n\n            Current Year Notices of Findings and Recommendations at CBP \n\n\n   D        Report Distribution                                                                       19\n\n\x0c                              Department of Homeland Security\n                             U.S Customs and Border Protection\n                          Information Technology Management Letter\n                                     September 30, 2011\n\n                          OBJECTIVE, SCOPE, AND APPROACH\n\nWe have audited the consolidated balance sheets of the U.S. Customs and Border Protection (CBP),\na component of the U.S. Department of Homeland Security (DHS), and related consolidated\nstatements of net cost, changes in net position, and custodial activity, and the combined statements\nof budgetary resources (hereinafter, referred to as \xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d) as of\nSeptember 30, 2011 and 2010. In connection with our audit of CBP\xe2\x80\x99s consolidated financial\nstatements, we performed an evaluation of general information technology controls (GITCs), to\nassist in planning and performing our audit. The Federal Information System Controls Audit\nManual (FISCAM), issued by the Government Accountability Office (GAO), formed the basis of\nour GITC evaluation procedures. The scope of the GITC evaluation is further described in\nAppendix A.\nFISCAM was designed to inform financial auditors about information technology (IT) controls and\nrelated audit concerns to assist them in planning their audit work and to integrate the work of\nauditors with other aspects of the financial audit. FISCAM also provides guidance to IT auditors\nwhen considering the scope and extent of review that generally should be performed when\nevaluating general controls and the IT environment of a federal agency. FISCAM defines the\nfollowing five control functions to be essential to the effective operation of the general IT controls\nenvironment:\n\xe2\x80\xa2\t Security Management (SM) \xe2\x80\x93 Controls provide reasonable assurance that security management\n   is effective.\n\xe2\x80\xa2\t Access Control (AC) \xe2\x80\x93 Controls provide reasonable assurance that access to computer resources\n   (data, equipment, and facilities) is reasonable and restricted to authorized individuals.\n\xe2\x80\xa2\t Configuration Management (CM) \xe2\x80\x93 Controls provide reasonable assurance that changes to\n   information system resources are authorized and systems are configured and operated securely\n   and as intended.\n\xe2\x80\xa2\t Segregation of Duties (SD) \xe2\x80\x93 Controls provide reasonable assurance that incompatible duties are\n   effectively segregated.\n\xe2\x80\xa2\t Contingency Planning (CP) \xe2\x80\x93 Controls provide reasonable assurance that contingency planning:\n   (1) protects information resources and minimizes the risk of unplanned interruptions and (2)\n   provides for recovery of critical operations should interruptions occur.\nTo complement our general IT controls audit procedures, we also performed technical security\ntesting for key network and system devices, as well as testing over key financial application\ncontrols in the CBP environment. The technical security testing was performed from within select\nCBP facilities, and focused on production devices that directly support key general support systems.\nIn addition, we performed application control tests on a limited number of CBP\xe2\x80\x99s financial systems.\nThe application control testing was performed to assess the controls that support the financial\nsystems\xe2\x80\x99 internal controls over the input, processing, and output of financial data and transactions.\nFISCAM defines application controls as follows: Application controls are the structure, policies,\nand procedures that apply to separate, individual application systems, such as accounts payable,\ninventory, or payroll.\n\nInformation Technology Management Letter for the FY 2011 U.S. Customs and Border Protection \n\n                               Financial Statement Audit \n\n                                         Page 1\n\x0c                              Department of Homeland Security\n                             U.S Customs and Border Protection\n                          Information Technology Management Letter\n                                     September 30, 2011\n\n               SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring FY 2011, CBP took corrective action to address prior year IT control weaknesses. For\nexample, CBP made improvements over various system logical access processes and system\nsecurity settings. However, during FY 2011, we identified new and continuing general IT control\nweaknesses that could potentially impact CBP\xe2\x80\x99s financial data. The most significant weaknesses\nfrom a financial statement audit perspective related to controls over access to programs and data.\nCollectively, the IT control weaknesses limited CBP\xe2\x80\x99s ability to ensure that critical financial and\noperational data were maintained in such a manner to ensure confidentiality, integrity, and\navailability. In addition, these weaknesses negatively impacted the internal controls over CBP\nfinancial reporting and its operation, and we considered them to collectively represent a significant\ndeficiency for CBP under standards established by the American Institute of Certified Public\nAccountants. The IT findings were combined into a significant deficiency regarding IT for the FY\n2011 audit of the CBP consolidated financial statements.\nIn FY 2011, our IT audit work identified 36 IT findings, of which 19 were repeat findings from the\nprior year and 17 were new findings. In addition, we determined that CBP remediated 4 IT findings\nidentified in previous years. Collectively, these findings represent deficiencies in all five FISCAM\nkey control areas, as well as deficiencies related to financial system functionality. These\nweaknesses may increase the risk that the confidentiality, integrity, and availability of system\ncontrols and CBP financial data could be exploited thereby compromising the integrity of financial\ndata used by management and reported in CBP\xe2\x80\x99s financial statements.\nThe recommendations made by us in this report are intended to be helpful, and may not fully\nremediate the related deficiency. CBP management has the responsibility to determine the most\nappropriate methods for addressing the weaknesses identified based on their system capabilities and\navailable resources.\n\n\n\n\nInformation Technology Management Letter for the FY 2011 U.S. Customs and Border Protection \n\n                               Financial Statement Audit \n\n                                         Page 2\n\x0c                              Department of Homeland Security\n                             U.S Customs and Border Protection\n                          Information Technology Management Letter\n                                     September 30, 2011\n\n          GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\nFindings:\n\nDuring the FY 2011 CBP financial statement audit, we identified the following IT and financial\nsystem control deficiencies that in the aggregate are considered a significant deficiency:\n\nSecurity Management\n\xe2\x80\xa2\t Systems certification and accreditation:\n    -    System security plan updates were not current or effectively communicated for one system;\n    -    Security test and evaluation documentation was not completed annually for multiple\n         systems, in accordance with DHS policy; and\n    -    Interconnection security agreements (ISA) were not fully documented for one system.\n\xe2\x80\xa2\t Non-current policies and procedures:\n    -\t    Separation procedures for contract employees were out of date and included incomplete and\n         inaccurate references.\n\xe2\x80\xa2\t Lack of compliance with existing policies:\n    -    IT-based specialized security training requirements had not been fully implemented and\n         enforced;\n    -    Several instances where background investigations of federal employees and contractors\n         employed to operate, manage and provide security over IT systems were not being properly\n         conducted;\n    -\t   Non-disclosure agreements were not consistently completed;\n    -    Exit processing procedures for transferred/terminated personnel, including contractors,\n         were not consistently followed or communicated internally in a timely manner; and\n    -\t   Evidence on whether CBP workstations that are not currently part of the Microsoft Active\n         Directory are being managed to receive current security patches could not be provided.\n\n\n\n\nInformation Technology Management Letter for the FY 2011 U.S. Customs and Border Protection \n\n                               Financial Statement Audit \n\n                                         Page 3\n\x0c                             Department of Homeland Security\n                            U.S Customs and Border Protection\n                         Information Technology Management Letter\n                                    September 30, 2011\n\nAfter-Hours Physical Security Testing\nDuring the after-hours physical security walkthrough of selected CBP locations in the Washington,\nD.C. area, 18 instances were identified where assets and information with inadequate protection\nagainst unauthorized access, misuse, or misappropriation. Specific weaknesses identified and the\nlocations where the instances were identified are included in the following matrix:\n                                        CBP Locations Tested\n                                                                                       Total\n                     NDC-7\n  Exceptions                                 Beauregard     Tyson\xe2\x80\x99s     National     Exceptions\n                     (BLM        NDC-1\n  Noted                                     (Alexandria)    Corner       Place        by Type\n                    Building)\n  Passwords             0           2            0              0           2              4\n  For Official\n  Use Only              0           2            0              0           0              2\n  (FOUO)\n  Keys/Badges           0           0            0              0           0              0\n  Personally\n  Identifiable\n                        1           5            0              0           1              7\n  Information\n  (PII)\n  Server\n  Names/IP              1           1            0              0           0              2\n  Addresses\n  External\n  Drives,\n  Removable\n  Media,\n                        1           0            0              0           1              2\n  Blackberries,\n  or Other\n  Unsecured\n  Property\n  Credit Card\n                        1           0            0              0           0              1\n  Numbers\n  Classified\n                        0           0            0              0           0              0\n  Documents\n\n  Total\n  Exceptions by         4          10            0              0           4              18\n  Location\n\nNote that approximately 15 desks / offices were examined at each of the locations above.\n\n\n\n\nInformation Technology Management Letter for the FY 2011 U.S. Customs and Border Protection \n\n                               Financial Statement Audit \n\n                                         Page 4\n\x0c                                  Department of Homeland Security\n                                 U.S Customs and Border Protection\n                              Information Technology Management Letter\n                                         September 30, 2011\n\nSocial Engineering Testing\nSocial engineering is defined as the act of attempting to manipulate or deceive individuals into\ntaking action that is inconsistent with DHS policies, such as divulging sensitive information or\nallowing /enabling computer system access. The term typically applies to deception for the purpose\nof information gathering, or gaining computer system access, shown in the following table:\n         Total        Total\n                                   Number of people who provided a username and/or password\n         Called      Answered\n          36             25        1 \xe2\x80\x93 Both User Name and Password\n\nAccess Control\n\xe2\x80\xa2\t Deficiencies in management of application and/or database accounts, network, and remote user\n   accounts:\n    -\t     Strong password requirements were not enforced for network accounts;\n    -      User account lists were not periodically reviewed for appropriateness, and users were not\n           disabled or removed promptly upon personnel termination; and\n    -\t      Initial access and modified access granted to application and/or database, network, and\n           remote users were not properly documented and authorized.\n\xe2\x80\xa2\t Ineffective or insufficient use of available audit logs:\n    -      Logs of auditable events were not being reviewed to identify potential incidents, or were\n           reviewed by those with conflicting roles; and \n\n    -      Documented procedures for audit log follow-up did not meet DHS requirements. \n\n\nConfiguration Management\n\xe2\x80\xa2\t Lack of documented policies and procedures:\n    -\t      Configuration, vulnerability, and patch management plans had not been established and\n           implemented, or did not comply with DHS policy.\n\xe2\x80\xa2\t Security patch management and configuration deficiencies were identified during the\n   vulnerability assessment on hosts supporting the key financial applications and general support\n   systems.\n\nSegregation of Duties\n\xe2\x80\xa2\t Lack of evidence to show that least privilege and segregation of duties controls exist for one\n   system; and\n\xe2\x80\xa2\t Users with privileged access were granted conflicting roles which compromised segregation of\n   duties principles. Further, mitigating controls were not in place to identify unauthorized\n   activities performed by individuals with conflicting access roles.\n\n\n\n\nInformation Technology Management Letter for the FY 2011 U.S. Customs and Border Protection \n\n                               Financial Statement Audit \n\n                                         Page 5\n\x0c                             Department of Homeland Security\n                            U.S Customs and Border Protection\n                         Information Technology Management Letter\n                                    September 30, 2011\n\nContingency Planning\n\xe2\x80\xa2\t One system\xe2\x80\x99s contingency plan was not updated based on recent testing results; and\n\xe2\x80\xa2\t Access to backup media was not regularly reviewed and updated based on changes to personnel\n   staffing and job roles.\nRecommendations:\nWe recommend that the CBP Chief Information Officer (CIO) and Chief Financial Officer (CFO),\nin coordination with the DHS Office of Chief Financial Officer and the DHS Office of the Chief\nInformation Officer, make the following improvements to CBP\xe2\x80\x99s financial management systems\nand associated information technology security program.\n\nSecurity Management\n\xe2\x80\xa2\t Update systems security policies and procedures to be in compliance with DHS policy.\n\n\xe2\x80\xa2\t Maintain and update and system security plans and other relevant system documentation to\n   reflect current conditions and results of testing and control reviews.\n\n\xe2\x80\xa2\t Maintain current ISAs for in-scope applications, and maintain a current listing of these\n   interconnections.\n\n\xe2\x80\xa2\t Maintain, update, and communicate personnel hiring and termination policies. In addition,\n   enforce the implementation of internal controls for the personnel processes including the\n   completion of non-disclosure agreements.\n\n\xe2\x80\xa2\t Complete all investigations and periodic reinvestigations of personnel as required by DHS\n   policy during fiscal year 2012.\n\n\xe2\x80\xa2\t Continue with the development and testing of a Role-Based Security Training (RBST) pilot\n   program based on the DHS RBST program model.\n\n\xe2\x80\xa2\t Develop a process to ensure workstations are properly updated with security patches.\n\nAfter-Hours Physical Security Testing:\n\xe2\x80\xa2\t Continue efforts to enhance the CBP security awareness campaigns.\n\nSocial Engineering Testing:\n\xe2\x80\xa2\t Implement multiple types of security awareness reminders and opportunities to educate users on\n   the importance of protecting CBP information systems and data.\n\nAccess Control\n\xe2\x80\xa2\t Implement and configure technology to record user account changes. In addition, implement a\n   process to regularly and independently reconcile changes made to user accounts within the\n   application to source authorization documentation.\n\nInformation Technology Management Letter for the FY 2011 U.S. Customs and Border Protection \n\n                               Financial Statement Audit \n\n                                         Page 6\n\x0c                              Department of Homeland Security\n                             U.S Customs and Border Protection\n                          Information Technology Management Letter\n                                     September 30, 2011\n\n\n\xe2\x80\xa2\t Ensure that all requests for general and emergency access to applications, systems, and\n   networks, including remote users, are supported by an appropriately authorized request for\n   access. Conduct training for security administrators as necessary to ensure compliance with this\n   process.\n\n\xe2\x80\xa2\t Recertify, revalidate, and update privileged and non-privileged user access.\n\n\xe2\x80\xa2\t Revoke user access in a timely manner when personnel are transferred, separated from the\n   organization, or when job duties change and no longer necessitate a need for system access.\n\n\xe2\x80\xa2\t Implement a process for logging changes to critical and sensitive data and regularly reviewing\n   the contents of these logs. Maintain evidence of the review of these logs.\n\n\xe2\x80\xa2\t Implement controls to enforce password complexity requirements including protecting against\n   the use of passwords that contain dictionary-based words.\n\nConfiguration Management\n\xe2\x80\xa2\t Finalize and formally distribute an updated configuration management plan.\n\n\xe2\x80\xa2\t Patch, upgrade, correct, or obtain waivers for any identified weaknesses as a result of the IT\n   technical vulnerabilities assessment.\n\nSegregation of Duties\n\xe2\x80\xa2\t Identify system and application roles that should not be combined based on the principles of\n   segregation of duties. When segregation of duties are compromised based on a valid business\n   reason, perform and document independent reviews of activities executed by users with non\xc2\xad\n   segregated access.\n\nContingency Planning\n\xe2\x80\xa2\t Maintain current contingency plans for the in-scope systems that reflect current conditions and\n   the results of testing the contingency plans.\n\n\xe2\x80\xa2\t Periodically recertify personnel with access to backup media stored off site. Maintain\n   documentation of this recertification of access.\n\n\n\n\nInformation Technology Management Letter for the FY 2011 U.S. Customs and Border Protection \n\n                               Financial Statement Audit \n\n                                         Page 7\n\x0c                             Department of Homeland Security\n                            U.S Customs and Border Protection\n                         Information Technology Management Letter\n                                    September 30, 2011\n\n           APPLICATION CONTROL FINDING AND RECOMMENDATION\n\nDuring the FY 2011 CBP financial statement audit, we identified the following application control\nand financial system functionality deficiency that, when aggregated with the GITC deficiencies, is\nconsidered a significant deficiency:\nFinding:\n\n\xe2\x80\xa2\t One financial system lacks the controls necessary to prevent, or detect and correct excessive\n   drawback claims. Specifically, the programming logic for the system does not link drawback\n   claims to imports at a detailed, line item level. This would potentially allow the importer to\n   receive claims in excess of an allowable amount.\n\nRecommendation:\n\n\xe2\x80\xa2\t We recommend that the CBP CIO and CFO, in coordination with the DHS Office of Chief\n   Financial Officer and the DHS Office of the Chief Information Officer prioritize, develop, and\n   deploy functionality that will allow CBP to prevent or detect and correct excessive drawback\n   claims.\n\n\n\n\nInformation Technology Management Letter for the FY 2011 U.S. Customs and Border Protection \n\n                               Financial Statement Audit \n\n                                         Page 8\n\x0c                                                                               Appendix A\n                           Department of Homeland Security\n                          U.S. Customs and Border Protection\n                       Information Technology Management Letter\n                                  September 30, 2011\n\n\n\n\n                                     Appendix A \n\n\n\n      Description of Key CBP Financial Systems and IT \n\nInfrastructure within the Scope of the FY 2011 DHS Financial \n\n                       Statement Audit \n\n\n\n\n\nInformation Technology Management Letter for the FY 2011 U.S. Customs and Border Protection \n\n                               Financial Statement Audit \n\n                                         Page 9\n\x0c                                                                                      Appendix A\n                             Department of Homeland Security\n                            U.S. Customs and Border Protection\n                         Information Technology Management Letter\n                                    September 30, 2011\n\nBelow is a description of significant U.S. Customs and Border Protection (CBP) financial\nmanagement systems and supporting IT infrastructure included in the scope of CBP\xe2\x80\x99s FY 2011\nfinancial statement audit.\nAutomated Commercial Environment (ACE)\n\nACE is the commercial trade processing system being developed by CBP to facilitate trade while\nstrengthening border security. It is CBP\xe2\x80\x99s plan that this system will replace ACS when ACE is fully\nimplemented. The mission of ACE is to implement a secure, integrated, government-wide system\nfor the electronic collection, use, and dissemination of international trade and transportation data\nessential to Federal agencies. ACE is being deployed in phases, without a final, full deployment\ndate due to funding setbacks. As ACE is partially implemented now and processes a significant\namount of revenue for CBP, ACE was included in full scope in the FY 2011 financial statement\naudit. The ACE system is located in Virginia (VA).\n\nAutomated Commercial System (ACS)\nACS is a collection of mainframe-based business process systems used to track, control, and\nprocess commercial goods and conveyances entering the United States territory, for the purpose of\ncollecting import duties, fees, and taxes owed to the Federal government. ACS collects duties at\nports, collaborates with financial institutions to process duty and tax payments, provides automated\nduty filing for trade clients, and shares information with the Federal Trade Commission on trade\nviolations and illegal imports. The ACS system was included in full scope in the FY 2011 financial\nstatement audit. The ACS system is located in VA.\n\nNational Data Center \xe2\x80\x93 Local Area Network (NDC LAN)\nThe NDC-LAN was absorbed by the DC Metro LAN and the Data Center Infrastructure LAN\nduring the end of FY 2011. The NDC-LAN provided more than 1,200 CBP contractor and\nemployee user\xe2\x80\x99s access to enterprise-wide applications and systems. The mission of the NDC-LAN\nwas to the support Field Offices/Agents with applications and technologies in the securing and\nprotection of our nation's borders. The NDC-LAN consisted of five Novell NetWare 6.5 servers,\nvarious workstations and printers/plotters, 11 Cisco switches, and the associated Novell Netware\nmanagement applications. There were no major or minor applications running on the NDC-LAN\nother than the file and print services associated with the Novell NetWare servers. The NDC-LAN\nwas an unclassified system processing For Official Use Only (FOUO) data. As the NDC-LAN\nincluded the environment where the ACE, ACS, and SAP applications physically reside, the NDC-\nLAN was included in limited scope in the FY 2011 financial statement audit. The NDC LAN is\nlocated in VA.\n\n\n\n\nInformation Technology Management Letter for the FY 2011 U.S. Customs and Border Protection \n\n                               Financial Statement Audit \n\n                                         Page 10\n\x0c                                                                                Appendix A\n                            Department of Homeland Security\n                           U.S. Customs and Border Protection\n                        Information Technology Management Letter\n                                   September 30, 2011\n\n\nSystems, Applications, and Products, Enterprise Central Component (SAP ECC)\nSAP is a client/server-based financial management system and includes the Funds Management,\nBudget Control System, General Ledger, Real Estate, Property, Internal Orders, Sales and\nDistribution, Special Purpose Ledger, and Accounts Payable modules. These modules are used by\nCBP to manage assets (e.g., budget, logistics, procurement, and related policy), revenue (e.g.,\naccounting and commercial operations: trade, tariff, and law enforcement), and to provide\ninformation for strategic decision making. The SAP ECC financial management system was included\nin full scope in the FY 2011 financial statement audit. The SAP ECC system is located in VA.\n\n\n\n\nInformation Technology Management Letter for the FY 2011 U.S. Customs and Border Protection \n\n                               Financial Statement Audit \n\n                                         Page 11\n\x0c                                                                               Appendix B\n                           Department of Homeland Security\n                          U.S. Customs and Border Protection\n                       Information Technology Management Letter\n                                  September 30, 2011\n\n\n\n\n                                     Appendix B \n\nFY 2011 Notices of IT Findings and Recommendations at CBP \n\n\n\n\n\nInformation Technology Management Letter for the FY 2011 U.S. Customs and Border Protection \n\n                               Financial Statement Audit \n\n                                         Page 12\n\x0c                                                                                        Appendix B\n                                Department of Homeland Security\n                               U.S. Customs and Border Protection\n                            Information Technology Management Letter\n                                       September 30, 2011\n\nNotices of Findings and Recommendations (NFR) \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on\nthe CBP Independent Auditors\xe2\x80\x99 Report.\n\n      1 \xe2\x80\x93 Not substantial\n      2 \xe2\x80\x93 Less significant\n      3 \xe2\x80\x93 More significant\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of\nseverity for reporting purposes.\n\nThese ratings are provided only to assist CBP in prioritizing the development of its corrective action\nplans for remediation of the deficiency.\n\n\n\n\nInformation Technology Management Letter for the FY 2011 U.S. Customs and Border Protection \n\n                               Financial Statement Audit \n\n                                         Page 13\n\x0c                                                                                                                            Appendix B\n                                                   Department of Homeland Security\n                                                  U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                          September 30, 2011\n\n\n                                                                                                                2011\n                                                                                                                         New     Repeat\nFY 2011 NFR #                                NFR Title                                 FISCAM Control Area    Severity\n                                                                                                                         Issue    Issue\n                                                                                                               Rating\n                Security Awareness Issued Identified During Enhanced Security\nCBP-IT-11-01                                                                              Access Controls        2                 X\n                Testing\nCBP-IT-11-02    Physical Security Issues Identified During Enhanced Security Testing      Access Controls        2                 X\nCBP-IT-11-03    Inadequate Role-based Security Training Program                         Security Management      2                 X\nCBP-IT-11-04    Segregation of Duties Control Weaknesses Within a CBP System              Access Controls        3                 X\nCBP-IT-11-05    CBP System User Profile Change Logs are Not Reviewed                      Access Controls        3                 X\n                Lack of Monitoring of Developer Emergency/Temporary Access to\nCBP-IT-11-07                                                                              Access Controls        3                 X\n                CBP System Production\nCBP-IT-11-08    CBP System Novell Server Audit Logs Review Weaknesses                     Access Controls        2        X\nCBP-IT-11-09    CBP System Contingency Plan Has Not Been Updated                       Contingency Planning      1        X\nCBP-IT-11-10    Lack of Update to CBP System Security Plan                              Security Management      2        X\n                Incomplete Background Investigations and Reinvestigations for CBP\nCBP-IT-11-11                                                                            Security Management      2                 X\n                Employees and Contractors\n                Contractor Separation Procedures Were Not Updated and Contractor\nCBP-IT-11-12                                                                              Access Controls        2                 X\n                Separation Forms are Not Maintained\nCBP-IT-11-13    Inadequate Documentation of CBP System Access Change Requests             Access Controls        2                 X\nCBP-IT-11-14    CBP System User Profile Change Logs Are Not Reviewed                      Access Controls        3        X\n                Incomplete Access Request Forms and Approvals for New CBP\nCBP-IT-11-15                                                                              Access Controls        3                 X\n                System Accounts\nCBP-IT-11-16    Lack of Annual Recertification of CBP System Users                        Access Controls        3        X\n                Incomplete Access Request Approval Forms for New Remote Access\nCBP-IT-11-17                                                                              Access Controls        2        X\n                User Accounts\n\n\n\n\n        Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit\n                                                              Page 14\n\x0c                                                                                                                               Appendix B\n                                                   Department of Homeland Security\n                                                  U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                          September 30, 2011\n\n                                                                                                                   2011\n                                                                                                                            New     Repeat\nFY 2011 NFR #                                NFR Title                                 FISCAM Control Area       Severity\n                                                                                                                            Issue    Issue\n                                                                                                                  Rating\n                Incomplete Documentation of Interconnection Security Agreements for\nCBP-IT-11-18                                                                              Access Controls           2                 X\n                CBP System Connections\nCBP-IT-11-19    Contractor Non-Disclosure Agreements are Incomplete                       Access Controls           2                 X\nCBP-IT-11-20    Weaknesses Over the Employee Separation Process                           Access Controls           2                 X\nCBP-IT-11-21    CBP System Audit Logs Not Appropriately Reviewed                          Access Controls           3        X\nCBP-IT-11-22    Lack of Access Requests and Approvals for CBP System Accounts             Access Controls           3                 X\nCBP-IT-11-23    Lack of Update to CBP System Security Test & Evaluation (ST&E)          Security Management         2        X\n                CBP System Configuration Management Policies and Procedures Not\nCBP-IT-11-24                                                                          Configuration Management      2        X\n                Formally Documented\nCBP-IT-11-25    Weaknesses in Allowed Network Authenticators                              Access Controls           2        X\nCBP-IT-11-26    CBP System Audit Logs Review Weaknesses                                   Access Controls           3                 X\n                Security Weaknesses Identified During the Technical Vulnerability\nCBP-IT-11-27                                                                            Security Management         2                 X\n                Assessment\nCBP-IT-11-28    Security Posture of CBP Workstations                                    Security Management         2                 X\nCBP-IT-11-30    Separated Personnel on CBP System User Listing                            Access Controls           3        X\nCBP-IT-11-31    Lack of Functionality in a CBP System                                   Application Controls        3                 X\nCBP-IT-11-32    Separated Personnel with Active Access Privileges to CBP System           Access Controls           2        X\nCBP-IT-11-33    Lack of Update to CBP System ST&E                                       Security Management         2        X\nCBP-IT-11-34    Lack of Update to CBP System ST&E                                       Security Management         2        X\nCBP-IT-11-35    Access to Media Recertification is Incomplete                           Contingency Planning        1                 X\nCBP-IT-11-36    Lack of Annual Recertification of CBP System Users                        Access Controls           3        X\n\n\n\n        Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit\n                                                              Page 15\n\x0c                                                                                                                               Appendix B\n                                                         Department of Homeland Security\n                                                        U.S. Customs and Border Protection\n                                                     Information Technology Management Letter\n                                                                September 30, 2011\n\n                                                                                                                   2011\n                                                                                                                            New      Repeat\n  FY 2011 NFR #                                    NFR Title                            FISCAM Control Area      Severity\n                                                                                                                            Issue     Issue\n                                                                                                                  Rating\n   CBP-IT-11-37       CBP System Privileged User Access Weaknesses                         Access Controls          3        X\n                      CBP System Segregation of Duties Weaknesses over the Production\n   CBP-IT-11-38                                                                            Access Controls          3        X\n                      Environment\nNote 1: NFRs numbers CBP-IT-11-06 and CBP-IT-11-29 were not used in this sequence. \n\nNote 2: Specific system names were replaced with \xe2\x80\x9cCBP System\xe2\x80\x9d for security purposes\n\n\n\n\n\n             Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit\n                                                                   Page 16\n\x0c                                                                                      Appendix C\n                             Department of Homeland Security\n                            U.S. Customs and Border Protection\n                         Information Technology Management Letter\n                                    September 30, 2011\n\n\n\n\n                                       Appendix C \n\nStatus of Prior Year Notices of Findings and Recommendations and \n\n       Comparison to Current Year Notices of Findings and \n\n                     Recommendations at CBP \n\n\n\n\n\n  Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection \n\n                                 Financial Statement Audit \n\n                                           Page 17\n\x0c                                                                                                    Appendix C\n                                    Department of Homeland Security\n                                   U.S. Customs and Border Protection\n                                Information Technology Management Letter\n                                           September 30, 2011\n\n     NFR #                                    Description                                      Disposition\n                                                                                         Closed       Repeat\n\n CBP-IT-10-01     Separated Employees on System User Listings                              X\n CBP-IT-10-02     Segregation of Duties Control Weaknesses Within a CBP System                     CBP-IT-11-04\n                  CBP System Audit Log Reviews are Not Formally Documented to\n CBP-IT-10-03                                                                                      CBP-IT-11-26\n                  Include All Appropriate Information and Detail\n CBP-IT-10-04     Recertification Review of CBP System User Accounts                       X\n                  Security Awareness Issue Identified During Enhanced Security\n CBP-IT-10-05                                                                                      CBP-IT-11-01\n                  Testing\n                  Incomplete Access Request Forms and Approvals For New CBP\n CBP-IT-10-06                                                                                      CBP-IT-11-15\n                  System Accounts\n CBP-IT-10-07     Physical Security Issues Identified During Enhanced Security Testing             CBP-IT-11-02\n                  Contractor Separation Procedures are Not Updated and Contractor\n CBP-IT-10-08                                                                                      CBP-IT-11-12\n                  Separation Forms are Not Maintained\n CBP-IT-10-09     Employee Separation Forms are not Maintained                                     CBP-IT-11-20\n                  Non-Disclosure Agreements for CBP Contractors in Moderate and\n CBP-IT-10-10                                                                                      CBP-IT-11-19\n                  High-level Risk Positions are Not Completed\n CBP-IT-10-11     Installation of Virus Protections on CBP Workstations                            CBP-IT-11-28\n CBP-IT-10-12     Inadequate Role-Based Security Training Program                                  CBP-IT-11-03\n CBP-IT-10-13     Raised Floor Access Authorization Process Weaknesses                     X\n CBP-IT-10-14     CBP System User Profile Change Logs are Not Reviewed                             CBP-IT-11-05\n CBP-IT-10-15     Vulnerability Assessment Weaknesses with CBP Systems                             CBP-IT-11-27\n                  Incomplete Documentation of Interconnection Security Agreements\n CBP-IT-10-16     (ISA) for CBP System Participating Government Agencies (PGA)                     CBP-IT-11-18\n                  Connections\n CBP-IT-10-17     Lack of Access Requests and Approval for CBP System Account                      CBP-IT-11-22\n                  Evidence of Personnel Authorization to Access Backup Media Not\n CBP-IT-10-18                                                                                      CBP-IT-11-35\n                  Available\n                  CBP System User Access Profile Change Log Review Procedures\n CBP-IT-10-19                                                                                      CBP-IT-11-05\n                  Have Not Been Implemented\n                  Unauthorized Access Attempt Setting for the Mainframe Have Not\n CBP-IT-10-20                                                                              X\n                  Been Configured\n                  Background Investigations and Reinvestigations for CBP Employees\n CBP-IT-10-21                                                                                      CBP-IT-11-11\n                  and Contractors are Not Completed\n                  Lack of Monitoring of Developer Emergency/Temporary Access to\n CBP-IT-10-22                                                                                      CBP-IT-11-07\n                  CBP System Production\n CBP-IT-10-23     Lack of Access Requests and Approval for CBP System Accounts                     CBP-IT-11-13\n CBP-IT-10-24     CBP System Functionality Issues                                                  CBP-IT-11-31\n\nNote: Specific system names were replaced with \xe2\x80\x9cCBP System\xe2\x80\x9d for security purposes.\n\n\n      Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection\n                                     Financial Statement Audit\n                                               Page 18\n\x0c                                                                                    Appendix D\n                           Department of Homeland Security\n                        Immigration and Customs Enforcement\n                       Information Technology Management Letter\n                                  September 30, 2011\n\n                 Report Distribution\n\n                 Department of Homeland Security\n\n                 Secretary\n                 Deputy Secretary\n                 General Counsel\n                 Chief of Staff\n                 Deputy Chief of Staff\n                 Executive Secretariat\n                 Under Secretary, Management\n                 Commissioner, CBP\n                 DHS Chief Information Officer\n                 DHS Chief Financial Officer\n                 Chief Financial Officer, CBP\n                 Chief Information Officer, CBP\n                 Chief Information Security Officer\n                 Assistant Secretary for Office of Policy\n                 Assistant Secretary for Office of Public Affairs\n                 Assistant Secretary for Office of Legislative Affairs\n                 DHS GAO/OIG Audit Liaison\n                 Chief Information Officer, Audit Liaison\n                 CBP Audit Liaison\n\n                 Office of Management and Budget\n\n                 Chief, Homeland Security Branch\n                 DHS OIG Budget Examiner\n\n                 Congress\n\n                 Congressional Oversight and Appropriations Committees, as\n                 appropriate\n\n\n\n\nInformation Technology Management Letter for the FY 2011 U.S. Customs and Border Protection \n\n                               Financial Statement Audit \n\n                                         Page 19\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General\n(OIG) at (202)254-4100, fax your request to (202)254-4305, or e-mail your request to\nour OIG Office of Public Affairs at DHS-OIG.OfficePublicAffairs@dhs.gov. For\nadditional information, visit our OIG website at www.oig.dhs.gov or follow us on Twitter\n@dhsoig.\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to Department of Homeland Security programs and\noperations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202)254-4292\n\n\xe2\x80\xa2 E-mail us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n        DHS Office of Inspector General/MAIL STOP 2600,\n        Attention: Office of Investigation - Hotline,\n        245 Murray Drive SW, Building 410\n        Washington, DC 20528\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"